Office (OLE) / .DOC malware analysis — malicious · 63ab033fa8c93b99

MALICIOUS

Office (OLE) / .DOC

197.1 KB Created: 2008-03-05 03:19:00 Authoring application: Microsoft Office Word

MD5: d73f701fddff3ebab775c517e5dab5c7 SHA-1: 46deccea5336dfe8651b4f6fcf2d75da09ea0a15 SHA-256: 63ab033fa8c93b99748651bc5edc778754bc881e7171d3a206e837fc8d0e1078

100 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. A critical heuristic firing for XOR-encoded strings suggests that malicious code is present and hidden. The document's purpose is likely to exploit a client-side vulnerability to execute arbitrary code.

Heuristics 2

XOR-encoded strings (key 0x63) critical SC_XOR_ENCODED

Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0x63: 'LoadLibraryA', 'CreateProcessA', 'ExitProcess', 'CreateFileA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 201,859 bytes but its declared streams total only 20,635 bytes — 181,224 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.